Question No: 161

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto ipsec command on the headend router, you see the following output. What does this output suggest?

A remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported. Examples include access to POP3, SMTP, IMAP, SSH, and Telnet. The user needs local administrative privileges

because changes are made to files on the local machine. This method of SSL VPN does not work with applications that use dynamic port assignments, for example, several FTP applications.

Question No: 164

Which command can you use to monitor the phase 1 establishment of a FlexVPN tunnel?

show crypto ipsec sa

show crypto isakmp sa

show crypto ikev2 sa

show ip nhrp

Answer: C

Question No: 165

Which alogrithm is an example of asymmetric encryption?

RC4

AES

ECDSA

3DES

Answer: C

Question No: 166

What does NHRP stand for?

Next Hop Resolution Protocol

Next Hop Registration Protocol

Next Hub Routing Protocol

Next Hop Routing Protocol

Answer: A

Question No: 167

Refer to the exhibit.

You are configuring a laptop with the Cisco VPN Client, which uses digital certificates for authentication.

Which protocol does the Cisco VPN Client use to retrieve the digital certificate from the CA server?

Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA. CRL configuration is a part of the configuration of a trustpoint.

You can configure the security appliance to make CRL checks mandatory when authenticating a certificate (revocation-check crl command). You can also make the CRL check optional by adding the none argument (revocation-check crl none command), which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.

The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. When the security appliance has cached a CRL for more than the length of time it is configured to cache CRLs, the security appliance considers the CRL too old to be reliable, or quot;stalequot;. The security appliance attempts to retrieve a newer version of the CRL the next time a certificate authentication requires checking the stale CRL.

Question No: 168

Refer to the exhibit.

Which two characteristics of the VPN implementation are evident? (Choose two.)

dual DMVPN cloud setup with dual hub

DMVPN Phase 3 implementation

single DMVPN cloud setup with dual hub

DMVPN Phase 1 implementation

quad DMVPN cloud with quadra hub

DMVPN Phase 2 implementation

Answer: B,C

Question No: 169

Which two GDOI encryption keys are used within a GET VPN network? (Choose two.)

key encryption key

group encryption key

user encryption key

traffic encryption key

Answer: A,D

Question No: 170

To change the title panel on the logon page of the Cisco IOS WebVPN portal, which file must you configure?